JonnySnip3r Posted May 27, 2010 Share Posted May 27, 2010 Hey guys im pretty new to php and im currently making a full data driven site (biggest thing i have built ) so im hoping someone can help me or point me in the right direction. Ok i have a page called tutorials.php and people can access this via the posts i make on the site so if they select a java tutorial it takes them to tutorials.php?id=1 now my mate is pretty good with SQL injection i asked him to test it and its vulnerable however this site is far to big to scrap and use prepared statements so how can i prevent SQL injection via the url? hope someone can help thanks!! Link to comment https://forums.phpfreaks.com/topic/203147-protection-against-sql-injection-through-the-url/ Share on other sites More sharing options...
-Karl- Posted May 27, 2010 Share Posted May 27, 2010 Show us some code, and what type of injection he's found then we can help further. You have to remember to sanitize any data which is going to be inserted into the database. Link to comment https://forums.phpfreaks.com/topic/203147-protection-against-sql-injection-through-the-url/#findComment-1064389 Share on other sites More sharing options...
JonnySnip3r Posted May 27, 2010 Author Share Posted May 27, 2010 Hey pasted this code into me UNION SELECT 1,2,username,password,5,6,7,8,9 from users where id=1 -- CONCAT_WS(CHAR(32,58,32),user(),database(),version()) and here is the code for this site require_once '../includes/global.php'; $id = $_GET['newtutorial']; if (isset($_GET['newtutorial'])){ $result = mysql_query("SELECT * FROM posts WHERE id=$id LIMIT 1"); while ($row = mysql_fetch_array($result)){ // Get Data $category = $row['category']; $member = $row['member']; $title = $row['title']; $contents = $row['contents']; $date = $row['date']; $image = $row['image']; $video = $row['video_url']; } } just remember im a noob haha so somethings could be changed Link to comment https://forums.phpfreaks.com/topic/203147-protection-against-sql-injection-through-the-url/#findComment-1064390 Share on other sites More sharing options...
kenrbnsn Posted May 27, 2010 Share Posted May 27, 2010 Never use any data gotten from the user without first sanitizing it. For data that's going to be used in a MySQL query, at least use the function mysql_real_escape_string if you're expecting a string. If you're expecting an integer, you can use intval <?php require_once '../includes/global.php'; if (isset($_GET['newtutorial'])){ $id = mysql_real_escape_string($_GET['newtutorial']); $q = "SELECT * FROM posts WHERE id=$id LIMIT 1"; $result = mysql_query($q) or die("Problem with the query: $q<br>" . mysql_error()); while ($row = mysql_fetch_assoc($result)){ // Get Data $category = $row['category']; $member = $row['member']; $title = $row['title']; $contents = $row['contents']; $date = $row['date']; $image = $row['image']; $video = $row['video_url']; } } ?> or <?php require_once '../includes/global.php'; if (isset($_GET['newtutorial'])){ $id = intval($_GET['newtutorial']); $q = "SELECT * FROM posts WHERE id=$id LIMIT 1"; $result = mysql_query($q) or die("Problem with the query: $q<br>" . mysql_error()); while ($row = mysql_fetch_assoc($result)){ // Get Data $category = $row['category']; $member = $row['member']; $title = $row['title']; $contents = $row['contents']; $date = $row['date']; $image = $row['image']; $video = $row['video_url']; } } ?> Ken Link to comment https://forums.phpfreaks.com/topic/203147-protection-against-sql-injection-through-the-url/#findComment-1064405 Share on other sites More sharing options...
JonnySnip3r Posted May 27, 2010 Author Share Posted May 27, 2010 Thank you very much dood!! helped allot and fast Cheers! Link to comment https://forums.phpfreaks.com/topic/203147-protection-against-sql-injection-through-the-url/#findComment-1064406 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.